From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-patches-return-75500-listarch-gdb-patches=sources.redhat.com@sourceware.org>
Received: (qmail 23687 invoked by alias); 9 Sep 2010 09:05:33 -0000
Received: (qmail 23670 invoked by uid 22791); 9 Sep 2010 09:05:30 -0000
X-SWARE-Spam-Status: No, hits=-5.3 required=5.0	tests=AWL,BAYES_00,KAM_STOCKGEN,RCVD_IN_DNSWL_HI,SPF_HELO_PASS,TW_BJ,TW_YM,T_RP_MATCHES_RCVD
X-Spam-Check-By: sourceware.org
Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28)    by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Thu, 09 Sep 2010 09:05:17 +0000
Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o8995FLf011702	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)	for <gdb-patches@sourceware.org>; Thu, 9 Sep 2010 05:05:15 -0400
Received: from host1.dyn.jankratochvil.net (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1])	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o8995Cll027356	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);	Thu, 9 Sep 2010 05:05:14 -0400
Received: from host1.dyn.jankratochvil.net (localhost [127.0.0.1])	by host1.dyn.jankratochvil.net (8.14.4/8.14.4) with ESMTP id o8995C34027422;	Thu, 9 Sep 2010 11:05:12 +0200
Received: (from jkratoch@localhost)	by host1.dyn.jankratochvil.net (8.14.4/8.14.4/Submit) id o8995CYF027421;	Thu, 9 Sep 2010 11:05:12 +0200
Date: Thu, 09 Sep 2010 14:05:00 -0000
From: Jan Kratochvil <jan.kratochvil@redhat.com>
To: Tom Tromey <tromey@redhat.com>
Cc: gdb-patches@sourceware.org
Subject: [patch] Fix ELF stale reference  [Re: [patch] .gdb_index: Do not crash on NOBITS]
Message-ID: <20100909090511.GA937@host1.dyn.jankratochvil.net>
References: <20100908185837.GA24606@host1.dyn.jankratochvil.net> <m3wrqwrplv.fsf@fleche.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <m3wrqwrplv.fsf@fleche.redhat.com>
User-Agent: Mutt/1.5.20 (2009-12-10)
X-IsSubscribed: yes
Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-patches.sourceware.org>
List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: gdb-patches-owner@sourceware.org
X-SW-Source: 2010-09/txt/msg00195.txt.bz2

On Wed, 08 Sep 2010 21:40:12 +0200, Tom Tromey wrote:
> >>>>> "Jan" == Jan Kratochvil <jan.kratochvil@redhat.com> writes:
> 
> Jan> which should not be fatal but due to some other bugs therein it can
> Jan> crash GDB.
> 
> I am curious about these other bugs.

+      /* Memory gets permanently referenced from ABFD after
+	 bfd_get_synthetic_symtab so it must not get freed before ABFD gets.
+	 It happens only in the case when elf_slurp_reloc_table sees
+	 asection->relocation NULL.  Determining which section is asection is
+	 done by _bfd_elf_get_synthetic_symtab which is all a bfd
+	 implementation detail, though.  */

That is from:

#0  in elf_slurp_reloc_table_from_section (abfd, asect, rel_hdr, reloc_count=1170, relents, symbols, dynamic=1) at elfcode.h:1482
#1  in bfd_elf64_slurp_reloc_table (abfd, asect, symbols, dynamic=1) at elfcode.h:1563
#2  in _bfd_elf_get_synthetic_symtab (abfd, symcount=0, syms, dynsymcount=1792, dynsyms, ret) at elf.c:9269
#3  in elf_symfile_read (objfile, symfile_flags=6) at elfread.c:809

Where
	  elfcode.h:elf_slurp_reloc_table_from_section
contains
          ps = symbols + ELF_R_SYM (rela.r_info) - 1;
          relent->sym_ptr_ptr = ps;

`symbols' here is elf_symfile_read's `dyn_symbol_table'.  `dyn_symbol_table'
got immediately xfree'd but the freed memory remained referenced by
asect->relocation (containing the RELENT memory above, stored there by
elf_slurp_reloc_table).

asect->relocation probably does not get used if ABFD is not being read-in the
second time, which happens only if OBJFILE is being created the second time,
which happens due to the error call in the previous mail.


I was curious there elf_symfile_read uses 0 for COPY_NAMES in a similar case:
      elf_symtab_read (objfile, ST_REGULAR, symcount, symbol_table, 0);
where SYMBOL_TABLE is also immediately xfreed.  But that seems to be correct as
elf_slurp_symbol_table uses 
      symbase = (elf_symbol_type *) bfd_zalloc (abfd, amt);
for the content where later elfread.c's SYMBOL_TABLE points to.  Only the
pointers get xfreed which is OK.


No regressions on {x86_64,x86_64-m32,i686}-fedora14snapshot-linux-gnu.


Thanks,
Jan


gdb/
2010-09-09  Jan Kratochvil  <jan.kratochvil@redhat.com>

	Fix stale memory references.
	* elfread.c: Include libbfd.h.
	(elf_symfile_read): Replace xmalloc by bfd_alloc, drop xfree, new
	comment.

--- a/gdb/elfread.c
+++ b/gdb/elfread.c
@@ -37,6 +37,7 @@
 #include "complaints.h"
 #include "demangle.h"
 #include "psympriv.h"
+#include "libbfd.h"
 
 extern void _initialize_elfread (void);
 
@@ -792,8 +793,14 @@ elf_symfile_read (struct objfile *objfile, int symfile_flags)
 
   if (storage_needed > 0)
     {
-      dyn_symbol_table = (asymbol **) xmalloc (storage_needed);
-      make_cleanup (xfree, dyn_symbol_table);
+      /* Memory gets permanently referenced from ABFD after
+	 bfd_get_synthetic_symtab so it must not get freed before ABFD gets.
+	 It happens only in the case when elf_slurp_reloc_table sees
+	 asection->relocation NULL.  Determining which section is asection is
+	 done by _bfd_elf_get_synthetic_symtab which is all a bfd
+	 implementation detail, though.  */
+
+      dyn_symbol_table = bfd_alloc (abfd, storage_needed);
       dynsymcount = bfd_canonicalize_dynamic_symtab (objfile->obfd,
 						     dyn_symbol_table);